Unlock or decrypt your FileVault 2-encrypted boot drive from the command line

In addition to using Disk Utility, you can also use the command line to unlock or decrypt a FileVault 2-encrypted drive. In order to make sure it all works, I recommend that you use the Recovery HD partition or the Recovery HD partition cloned onto an external drive. See below the jump for the procedure.

To start with, you will need to identify the Logical Volume UUID of the encrypted drive using the diskutil corestorage list command:

diskutil corestorage list

Running that command will give you a listing of all Core Storage volumes. To help identify what you’re looking for, I’ve highlighted the UUID of the encrypted drive in this example:

Once you have the UUID, you can then either unlock or unencrypt the encrypted volume using the following commands.

Using the password of an authorized account on the command line

To unlock: diskutil corestorage unlockVolume UUID -stdinpassphrase

The -stdinpassphrase flag will cause the command to prompt you for the password/passphrase of an account that’s authorized to unlock the encryption.

If successful, the drive will unlock and mount. You should see output similar to that shown below.

Once you’ve unlocked the disk, you can then revert it back from being an encrypted volume.

To decrypt: diskutil corestorage revert UUID -stdinpassphrase

You’ll be prompted for the password/passphrase of an account that’s authorized to unlock the encryption. Once provided, decryption of the encrypted volume will begin.

To track its progress, you can use the diskutil corestorage list command. To help identify the decryption status, I’ve highlighted the relevant sections to check in the list.

Once the drive has been completely decrypted, it will no longer be listed as a CoreStorage volume by diskutil corestorage list. In Disk Utility, it should appear as a normal hard drive.

Using the FileVault 2-generated individual recovery key on the command line

If you don’t have the password of any of the authorized accounts and you are not using an institutional recovery key with FileVaultMaster.keychain, you can use the FileVault 2-generated individual recovery key instead. The commands are mostly the same, but instead of using the -stdinpassphrase flag, you instead use -passphrase and enter the recovery key.

If successful, the drive will unlock and mount. You should see output similar to that shown below.

Once you’ve unlocked the drive, you should also be able to unencrypt it using this command: diskutil corestorage revert UUID -passphrase recoverykey

Using FileVaultMaster.keychain on the command line

At this time, it’s only possible to unlock or decrypt from the command line if you’re using a institutional recovery key that’s been set with FileVaultMaster.keychain. Here’s how you can unlock the encryption using an institutional recovery key with FileVaultMaster.keychain:

1. Copy your FileVaultMaster recovery keychain from the safe place your institution stored it in to a drive that you can access from Recovery HD.

In my case, I cannot find “Logical Volume UUID” too, simply because the volume is not a logical volume but a physical volume.

Here is the solution has worked for me:
1, Find the “Logical Volume Group UUID”, i.e., lvgUUID
2, In terminal, diskutil coreStorage delete lvgUUID
3, After that, the volume is reverted to normal disk, available for erasing and/or formatting.

I don’t think data in the volume would be lost but I’m not sure. Losing data not a crucial point for me because they are backed up elsewhere.

From the diskutil output you’ve posted, it appears that your hard drive is having a problem. Is the FileVault 2 partition on its own separate hard drive, or is it on the same physical hard drive as another partition that’s working fine?

If the FileVault 2 partition is the only one on the hard drive, the drive may be suffering a hardware failure.

The Scenario happened was ” I created a standard user and rebooted the mac. Then I tried logging in directly from Standard user. It showed “No Parking Symbol error” after the apple logo. Then I rebooted the mac and logged in with Filevault enabled user but again the machine shows the same error after the apple logo…

Thank you so much, rtrouton! I tried to convert an external drive to Core Storage and it seemed to be stuck at “Status: Checking”, with only a Logical Volume Group and a Physical Volume listed by diskutil cs list. So, no Logical Volume Family or Logical Volume. I already thought about erasing the disk, but

diskutil repairVolume

(where is a volume ID for the partition of type Apple_CoreStorage, such as disk0s5) triggered the actual conversion process. It immediately asked for the passphrase, and both the LVF and the LV are listed.

(Sorry, the first time I tried to post this I used angled brackets, which were filtered out)

Thank you so much, rtrouton! I tried to convert an external drive to Core Storage and it seemed to be stuck at “Status: Checking”, with only a Logical Volume Group and a Physical Volume listed by diskutil cs list. So, no Logical Volume Family or Logical Volume. I already thought about erasing the disk, but

diskutil repairVolume diskXsY

(where diskXsY is a volume ID for the partition of type Apple_CoreStorage, such as disk0s5) triggered the actual conversion process. It immediately asked for the passphrase, and both the LVF and the LV are listed.

At this point, you may want to try booting from one of your Recovery HD partitions and see if you can use Disk Utility to unlock the encrypted volume then repair it. If that doesn’t work, the encrypted partition may be unrecoverable.

I am having the same problem, and want to try exactly this, but where you typed in “diskutil corestorage unlockVolume UUID -stdinpassphrase”, where did you get the UUID? From your OP, and from what I’m seeing on my end, I don’t see a UUID for the logical volume, just the group and physical disk, which it won’t accept for unlocking.

NURV2600 :
I am having the same problem, and want to try exactly this, but where you typed in “diskutil corestorage unlockVolume UUID -stdinpassphrase”, where did you get the UUID? From your OP, and from what I’m seeing on my end, I don’t see a UUID for the logical volume, just the group and physical disk, which it won’t accept for unlocking.

I have the same problem (and the same question). Here is my diskutil cs list:

Thanks for this post. This saved me after a failed installation of Mountain Lion, which caused my MBPro encrypted disk to appear faulty. I tried reinstalling Lion (from USB and from Apple – using CommandR sequence) but it kept ion failing. Only after I decrypted the drive using the commands from this post – my MBPro came back to life. Thanks again

Just wanted to say thanks for your article. This saved my hard drive. My backup hd was encrypted as a time machine backup. I knew the pw but each time I entered it the hd would not appear to unlock through the gui interface (the pw entry box would become unselectable indefinitely). I used this function diskutil corestorage unlockVolume UUID -stdinpassphrase to unlock the disk. It allowed me to unlock the disk and then attached it the computer as disk2 but it wouldn’t mount. Even so I was able to use this to unlock the disk and then access the files. Thanks very much.

In an attempt to be clever, I recently formatted a new blank drive as Encrypted using Disk Utility. I chose a password, which I know. I then cloned my old boot drive to this encrypted drive – this way I both copied all the data AND encrypted it at the same time. I don’t believe I was ever shown the long “recovery key” I only have the password. Is there any way to retrieve the recovery key? I’m a bit nervous only having the password and not the recovery key. Should I be? Thanks much!

When you encrypt a non-boot volume (which is the method you encrypted your disk with before cloning your OS to it) there is no recovery key, only the password. There is no way to add a recovery key after you encrypt, so your password is the only way to unlock your drive.

I strongly recommend decrypting your drive, restarting, then re-encrypting your boot volume using the standard FileVault 2 encryption tools. When you re-encrypt, a recovery key will be generated.

Casey

August 16, 2012 at 9:44 pm

Thank you for that information!

I know I will not forget the password I used. Is there any other reason I should decrypt and re-encrypt it as you suggest? I’d prefer not to, partly because before using the technique I did I had a problem where it finished encrypting then said there was an error and I could neither encrypt nor decrypt it! I actually had to use command line techniques like you showed here to unlock the drive so I could reformat it again.

Hi, I recently encrypted my hard drive. I’m not even sure how I did it, every time i try to access it to try and remove the encryption it denies entry. I have no de-cryption software ect ect and i really need advice on how to get rid of my problem; also it doesn’t allow me to save anything therefore i cant download anything.

This thread is a close as I could come to finding a solution. I used disc utility to encrypt a external HDD. During the encryption, the drive unmounted, I think due to the cable to the drive being bumped. It then tried to mount and would not. The passphrase would not work either. I have data on it. I ran the diskutil corestorage list and is copied in below. It still says it is converting and there is no disk activity.

hi im having a huge issue i need resolving… i just bought a new solidstae hard disk to put in my MBP. now i bought the rack replacement for my dvdrw drive and put my 500gb in it.works like a charm.. now the issue is that i started deleting files from mt 500gb and transfering the required to the new solidstate.. finally wanted to format the 500gb and cant because of the filevault security… it will not allow me to unmount the drive… please advise as ive lost my key (i know i bad for loosing the key) and i cant unmount the 500gb for me to format… please advise

Is the drive mounting? I’m asking because you’re referencing being unable to unmount the drive.

If it’s mounting, it’s getting the authentication credentials needed to mount from somewhere. Are you entering a password before it mounts, or do you have a password stored in your login keychain?

If you have the password available, you can decrypt the drive using that password by following the instructions in the “Using the password of an authorized account on the command line” section of this post.

jpdoffay

December 16, 2012 at 7:27 pm

Hi rtrouton… thanks for the response but i got another thread from another site and its all good now… thanks a lot… have a happy holidays

Hi guys,
I was wondering if you could perhaps give me a hand… My problem is very similar to some of those mentioned before. What happened is after my Mac failed to boot from the CS partition (grey Apple logo taking forever) I did boot into the internet recovery. Now what is happening with the diskutil is that:

Oh god i’ve finally found some light to my problem(for that i thank you rtrouton) , unfurtunately not my solution. Maybe you can or somebody can help or give me any idea.

I got a 500 gb HDD with only one partition ( or so it seems because Recovery partition never showed up with my installation of lion) obviously this partition with turned on Filevault 2 and just couple of days ago when i started it up after it turns on ,show me my profile and guest one , ask for my password and show apple logo it gives me the error sign of death.

So after some research i came with all the bad implications of have filevault turned on, one of them the difficulty to solve boot problems!

So i came up with your blog entry and after reading all of it and the comments ive got the same problem as a few other “above” friends , and using an external
usb flash memory with a fresh 10.7.5 installation using the terminal i got that :

rima :
Hi Karthikeyan ,
Were you able to solve your problem? as I am having the same problem and I really need to save my data . Thanks in advance.

I too am having the same problem. The encrypted macHD comes as “failed” in the core storage list. I cannot find its UUID to decrypt or unlock it! Wasted money on disk warrior only to find that it cannot recover encrypted drives! Will it help connecting to another mac with FireWire in target mode? Or is it the END of this failed encrypted drive and its data? Can I erase it and then will the disk warrior work? Perhaps not!

Once it’s decrypted, you should have full access to your hard disk’s data.”

I have the newest iMac, the late 2012 model, and I’m sorry that I don’t recall the message exactly, but when I enter that command, the terminal says that it can’t decrypt because there is more than one volume. – That’s because I bought the build with a Fusion drive.
I thought would be very helpful but instead has been a nightmare when combined with HFS+ and FileVault 2.

Luckily I’ve been able to get a lot of data off copied to a hard drive with just the instructions you gave up to that point. Unluckily the iMac now crashes exactly at the point it says it has been unlocked and mounted. – All in recovery mode of course

Thank you for the help with such a great post. I was really looking forward to finding out about your recent speaking engagement, so now I’m off to read your presentation.

Oh, also about the Fusion drive, I’m not even sure how to make an image of the hard drive since it’s spread across both drives. I’m still trying to figure that one out. Would you post something about that soon if you could?

You, sir, are a hero. It’s possible that I may never forget the time you saved my Mac when I was on a trip out of the country and decided to turn on encryption “just in case”. After turning on FileVault 2 I got a normal login screen but after logging in got nothing but the circle-slash. The machine had Boot Camp, which may or may not have been a factor, but luckily it enabled me to bring it to life (in Windows) so that I found this page. The “…list” command showed that the volume was “revertable” and that no encryption had actually been done, The diskutil revert command above gave me my fully functional Mac side back. I can’t tell you how much this has saved my day in getting me access to my cloud data (Mac Contacts, iCal). THANK YOU, THANK YOU.

I have a question, can we mount the encrypted volume as a target disk drive on another running system (not on recovery mode) with institutional master key for easy backup and file manipulation? – in case the we do not have the password of the user

I have been trying a lot but I keep getting the error below and been not succesfull mounting it.

Unlocking or decrypting with the institutional key can only be performed from a recovery partition or from Internet Recovery. If you’re not booted from a recovery drive, you’ll see the error you’ve described.

Hi… I’ve gotten my drive into a funny state. I did not use ‘revert’, instead I used decryptVolume. It merrily went on its way and seems to have decrypted everything, *but* it did not remove the lock from the volume. Now, I am unable to unlock it, revert it, or re-encrypt it. How do I get back to some sane state?

I have been able to follow the instructions up until the point where it asks for a passphrase, but I am unable to type anything after that. I literally can’t enter anything or copy and paste my password in. Any ideas?

Hoping I could get some help with decryption. I have unlocked my encrypted hard drive using an institutional recovery key and have decrypted it using the “revert” command, but it appears to be stuck. I left it to decrypt over night and the decryption progess now shows 100% however, the conversion status still shows “Converting” and the conversion direction still shows “backward.”

If the conversion progress shows 100%, shouldn’t the other status indicators be showing “complete”? Should I have used the “decryptVolume” command instead of the “revert” command? Any ideas?

For others experienced the same problem, I worked out a solution for the disk not being completed decrypted through terminal like I mentioned in the comment above.

After decrypting from the terminal and letting the progress reach 100%, I then quit terminal and opened Disk Utility and selected to turn off encryption on the encrypted volume which worked (all while being booted in recovery mode cmd+r). I then restarted and was able to login and confirm that FileVault has been turned off in System Preferences. I don’t know what extra thing turning off encryption through Disk Utility does after decryption reaches 100% in terminal, but it seems to fully remove encryption attributes from the disk/volume.

I also tested another way by again, booting into recovery mode (cmd+r), going through terminal to unlock the disk with my institutional recovery key but NOT decrypting the drive through terminal. Instead, after unlocking the disk with the recovery key, I then quit terminal and open Disk Utility and select to turn off encryption on the volume. I get prompted for the password for my institutional recovery key and after entering it, I’m prompted that decryption has started and that I can track the progress in Sys Pref>FV. I then proceed to restart and I can login and confirm in Sys Pref>FV that the disk is being decrypted.

This page has saved me! Thank you! I can now access my decrypted external drive again by using the unlock instructions. But each time I plug it in, I have to unlock it again. If I use Disk Utility instead of the command line, I don’t even have to enter a password to unlock it!

Get Info in the Finder still shows it as Journaled, Encrypted, whereas DU shows it as simply Journaled. Maybe that’s part of the problem. I can live with this, but if there is a way to permanently unlock this disk, I would love to know what it is.